When you use FQDN cert + intermediate-certificate to setup HTTPS ingress, certificate is not being applied to virtual server.
Using a Secret where the PEM data contains both CA cert and FQDN cert does not work.
Specifically when querying the backend, LB returns the default cert instead of the one corresponding to the FQDN.
This issue occurs due to a bug in NCP logic, PKS does not support Certificate CA Chains (so... Intermediate CA Authorities). It supports single root CA only for now.
This is a known issue with NCP 2.3.x and will be fixed in future NCP releases.
As a work around, use single root CA certs only.